Emerging ThreatsMalware & Ransomware

Unpatched SharePoint Servers Exposed to Ongoing Spoofing Attacks

Analyst 207||Source: BleepingComputer
Dimly lit server room with a highlighted server and a shadowy figure working on a laptop amidst cables and equipment.

Over 1,300 Microsoft SharePoint servers exposed online remain unpatched against CVE-2026-32201, a spoofing vulnerability that Microsoft says was exploited as a zero-day and that attackers continue to abuse in ongoing campaigns.

Scope of the exposure: more than 1,300 public servers still vulnerable

Internet security watchdog Shadowserver warned this week that more than 1,300 Microsoft SharePoint servers reachable from the public Internet have not received the April 2026 security update that addresses CVE-2026-32201. Shadowserver said fewer than 200 systems have been patched since Microsoft released the fixes last week, leaving a large population of servers exposed.

What the vulnerability is and which SharePoint editions are affected

Microsoft described CVE-2026-32201 as an improper input validation weakness that enables network spoofing. The flaw affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition — the on-premises edition that uses a "continuous update" model. Microsoft said the vulnerability was flagged as a zero-day and that successful exploitation enables an attacker without privileges to perform low-complexity attacks that do not require user interaction.

Microsoft summarized the potential impact in technical terms: "An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability)." The company has not disclosed how the zero-day was used in the wild or linked the activity to any named threat actor.

CISA, Microsoft, and the federal directive: an accelerated deadline

Microsoft shipped security updates for CVE-2026-32201 as part of its April 2026 Patch Tuesday on April 14, the same day the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog. CISA used its authority under Binding Operational Directive (BOD) 22-01 to order Federal Civilian Executive Branch (FCEB) agencies to remediate affected SharePoint servers within two weeks — setting an April 28 deadline.

In its advisory, CISA warned: "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," and instructed agencies to "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."

Shadowserver's tally and the operational reality for administrators

Shadowserver's scan-based estimate — over 1,300 publicly reachable SharePoint instances remaining unpatched — underscores a gap between patch availability and deployment. Microsoft addressed 167 vulnerabilities in the April 14 update, including two zero-days; nevertheless, the watchdog group found that the bulk of exposed SharePoint servers have not yet received or applied the fix for CVE-2026-32201.

The persistence of unpatched, Internet-facing SharePoint instances raises the chance that attackers can discover and exploit vulnerable targets without needing to chain multiple faults or to trick end users into interaction.

How FCEB agencies, enterprises, and security teams should be thinking about the incident

  • Federal Civilian Executive Branch agencies: The CISA Binding Operational Directive gives a concrete two-week remediation clock that federal agencies must meet. Agencies will need to either apply the vendor-supplied mitigations, follow BOD 22-01 guidance for cloud services, or discontinue use of affected products if mitigations are not available.
  • Enterprises running on-premises SharePoint Server: Organizations operating SharePoint Server 2016, 2019, or Subscription Edition that expose instances to the Internet should prioritize applying the April 14 updates for CVE-2026-32201 and verify that external-facing services are not left in an unpatched state.
  • Security operations and incident response teams: With the vulnerability characterized as a zero-day that was exploited in live attacks and added to CISA's KEV Catalog, teams should prioritize discovery of public SharePoint endpoints, confirm patch status, and monitor for indicators of compromise tied to spoofing or unauthorized data access attempts.

Microsoft's disclosure that it has not yet tied the zero-day use to a specific threat actor leaves defenders to act on the vulnerability's technical profile and the observable exposure of servers. The concurrence of a public patch release, a CISA KEV listing with a mandatory federal remediation timeline, and Shadowserver's tally of more than 1,300 unpatched, Internet-facing SharePoint servers creates a sharply defined operational problem: the fixes exist, but a meaningful fraction of exposed systems remain awaiting them.

Source: BleepingComputer — Over 1,300 Microsoft SharePoint servers vulnerable to ongoing attacks

Emerging ThreatsZero-DayCVE-2026-32201Microsoft SharepointSpoofing AttacksUnpatched ServersInternet Security
Related Intelligence

Continue Reading

Dimly lit home network setup with outdated routers, tangled cables, and old equipment.

AryStinger Botnet Exploits Flaws in Thousands of D-Link Routers

Meet AryStinger, a sneaky botnet that's hijacked over 4,000 outdated D-Link routers worldwide, turning them into a powerful tool for hackers to carry out stealthy scans and attacks. This malware mastermind breaks down massive tasks into tiny chunks, distributing them across its zombie network for lightning-fast execution.

Analyst 207
Person typing on a keyboard with a blank laptop screen in front, face turned away.

Prinz Eugen Ransomware Targets Critical Files in Hands-On Attacks

Meet Prinz Eugen, a sneaky ransomware that uses hands-on tactics to target critical files, evading detection by deliberately leaving no ransom note behind. Its operators use stolen RDP credentials and remote monitoring tools to manually infiltrate and take control of systems.

Analyst 207
Financial sector setting with technology integration and cityscape in background.

Microsoft attributes Mastra AI supply chain attack to North Korean hackers Sapphire Sleet

Microsoft warns that a recent supply chain attack on the Mastra AI npm environment was carried out by Sapphire Sleet, a notorious North Korean hacking group known for targeting the financial sector. This latest incident is part of a larger pattern of attacks that exploit open-source distribution channels.

Analyst 207
WordPress dashboard screen with a highlighted API key field and a warning symbol nearby.

Hackers Exploit Gravity SMTP Plugin Bug to Expose API Keys

Malicious hackers are racing to exploit a vulnerability in the Gravity SMTP plugin, which has been installed on around 100,000 WordPress sites, to get their hands on sensitive API keys. Over 17 million exploit attempts have already been blocked by Wordfence, highlighting the urgent need for site owners to update to version 2.1.5.

Analyst 207